Secure website - Database Login

I have a ASP.NET application with a MaxDB(SAP) database.  Currently I am storing all connection string info in the webconfig file.

What I would like to know is what is the best way to secure the application?

Also is there a way to send the username and password the user inputs on the login screen as variables to the connection string?
triplebd69Asked:
Who is Participating?
 
DropZoneCommented:
Then may I suggest the following approach, based on best practices:

- Create a single database user login specifically for the web application to access the database.  This login will not be used by anybody else except by the application, so that any database requests from this login are known to be from it.

- Set the login information as part of your connection string in the Web.Config file (preferrably encrypted).  This is because IIS and the ASP.Net framework have mechanisms in place to specifically protect this file from outside attack.

- Create a table in your database for login information for the users of the web application.  This should contain at minimum a unique username and a password -- again it is very much recommended that it be encrypted or hashed.  Hashed is the preferred method because it prevents the plain-text password from being discovered from the one-way hash string.

- Set the web application to use FormsAuthentication (in the authorization section of the Web.Config).  When a user is going to "log-in" to your site, you perform a query to the database to see if the account information provided is valid, and if so, you create the AuthTicket (either manually, or by using one of the FormsAuthentication methods for doing this).  This only needs to be done once per session, and once the user is authenticated, the session can work normally.

- Alternatively, if this is an internal application (not published on the WWW), you may want to use integrated authentication, LDAP, or any of the other trusted mechanisms available from the .NET Framework.  The important thing is to allow the framework to handle the authentication and authorization for you, as it has been designed with proper security mechanisms.

Let me know if this helps.

    -dZ.
0
 
DropZoneCommented:
If you are trying to secure your application, the last thing you want to do is accept account information from external users.  The most common way is to create a single user login for the web application to use, and have this stored in the Web.Config file (encrypted, if possible).  That way, you can properly manage access to the database and its resources.  This login should be exclusive for the web application, and no user should have access to it.

If you are interested in web application security, you may also want to check out the OWASP Top 10 list of common web application vulnerabilities:
http://www.owasp.org/index.php/OWASP_Top_Ten_Project

    -dZ.
0
 
Abu HamdanEnterprise Architect, PM ExpertCommented:
Hello,

Securing the ASP.Net application can be done by using many methods like Forms authentication, LDAP, ..etc. And also you can pass user name and password to connectionstring on web config ,, since when you are getting the connection  string from web.config you can control it ,, for me i always have to decrypt the password that is placed on connectionstring to acced db.

0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
DropZoneCommented:
>> "And also you can pass user name and password to connectionstring on web config ,, since when you are getting the connection  string from web.config you can control it"

As I said, although possible, this is not wise as you want to control access to the database.  You also want to separate login access to the database with login access to the site, or else risk increasing your attack surface by enabling a malicious user that gained access to your web site to access directly your database too.

Perhaps it would be useful if you explained a bit more what you mean by "secure the application".  Is it a password-protected site that you want to harden with proper security practices; or do you want to know how to add password-protection to your site?  If the former, check out the OWASP Top Ten link I sent.  If the latter, then hammdan is right:  you could use FormsAuthentication, etc.

    -dZ.
0
 
triplebd69Author Commented:
I just want a want make sure the site is not going to be accessed by unauthorized users and can't get to the database.  Currently the app doesn't have any password protection and the only passwords used are to gain access to the db for queries.
0
 
triplebd69Author Commented:
DropZone,

Thanks for your feedback, you have given me a lot to consider.
0
 
DropZoneCommented:
No problem.  I know it can seem overwhelming, but once you understand the principles behind it, its much easier to implement proper security.

This site may help you along: http://www.dotnetjunkies.com/quickstart/aspplus/doc/quickstart.aspx
In particular, check out the "Security" section.  It also has a lot of good information on many aspects of ASP.NET.

   Cheers!
     -dZ.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.